News that data for millions of Visa and MasterCard holders may have been …

What happened?

According to published reports, Visa and MasterCard recently warned card-issuing banks that a third-party payments processor suffered a security breach. This breach may have exposed the Track 1 and Track 2 data needed to counterfeit cards. The compromise, according to both KrebsonSecurity and The Wall Street Journal, happened sometime between January 21 and February 25. It's not clear if attackers had access for that entire period.

After the reports were published, Global Payments Inc.—an Atlanta-based company that says on its website it handles "billions and billions of transactions per year for over a million points of service across North America"—issued an advisory confirming it had "identified and self-reported unauthorized access into a portion of its processing system." In early March, the statement added, company executives "determined card data may have been accessed" and promptly alerted Visa, MasterCard and the US Secret Service. Global Payments has scheduled a press conference for Monday morning at 8 am EST.

Both card issuers have released public statements saying a security breach at a payment processor may have compromised card data.

How many cards are compromised?

The extent of the breach hasn't been determined. None of the public statements have addressed how many cards are at risk. The WSJ report cites people familiar with the investigation as saying "hundreds of thousands" of cards may be compromised. KrebsonSecurity says the number affected may be as high as 10 million. The latter publication also said fraudulent activity "appears to be centering around commercial credit and debit cards (those issued to businesses)."

What about my credit card? Should I be worried?

Consumers generally aren't responsible for fraudulent charges made to their credit cards, so the biggest harm they face when a card is compromised is the hassle of getting a new account. The situation is less clear cut for businesses that use debit cards. Large issuer banks have said they are monitoring accounts for suspicious transactions and will notify customers of any discoveries.

What's a payment processor, anyway, and how does Global Payments fit in?

Third-party payment processors are behind-the-scenes companies that serve as middlemen between merchants accepting credit-card payments and banks issuing the cards. They coordinate the flow of information to make sure card holders don't exceed their credit limit before authorizing a purchase. They also provide an accounting used in the settlement of each transaction. Because the processors handle millions or billions of transactions a day, they store enormous amounts of sensitive data.

"Payment processors are close to the heart and soul of the financial payment processing system," says James Cowing. Cowing is the managing director of the Digital Resources Group, a security assessment firm that helps to certify that merchants, banks, and payment processors are complying with industry-mandated requirements known as PCI Data Security Standards. "When people are attacking them, they are going for big-time gold. They're the big vault that people who are trying to attack and steal card data would go to for the big pay off."

Global Payments was the seventh-biggest "merchant acquirer" in the US last year, according to the WSJ. The paper cited a payments-industry newsletter called the Nilson Report. It has contracts with retailers to process card transactions.

Is this this first time a third-party processor has suffered a security breach?

A few years later, an attack on another large credit-card processor, Heartland Payment Systems, exposed data for millions more cards. Prosecutors later accused serial hacker Albert Gonzalez of masterminding the intrusion, which got its foothold by exploiting a SQL injection vulnerability in the company's website. Gonzalez eventually pleaded guilty to the charges, which also included sophisticated attacks on retailer TJX, restaurant chain Dave and Busters, the Hannaford Brothers supermarket chain, 7-Eleven and other companies. In all, Gonzalez acquired data for some 130 million cards.

Digital Resources Group's Cowing says such intrusions are common place.

"These types of breaches happen all the time to smaller organizations and they don't get the notoriety, but when you hit one of the top 10, you make the front pages of all the newspapers," he explains.

So what has happened since the Global Payments breach came to light?

Visa and Global Payments have said the intrusion is being investigated by a private forensics company and agents of the US Secret Service. They aren't providing details, but Cowing says such probes typically involve a painstaking analysis of system logs and what's known as file integrity monitors. The file integrity monitors track changes to sensitive network files to uncover any changes that may have been made by malware. An examination of a single hard drive may take 10 hours to process. The results then must be compared with numerous other findings.

"This is a very difficult time for anyone who's going through a breach," he said. "You've got a lot of card holders that could be exposed. It's a very chaotic time."